I've had an IPv6 tunnel from HE.net for quite some time now. Back when I was running the ASA 5505 as my edge, I had to put a router behind it to create the tunnel. Then, when I replaced the ASA with an SRX 220 back in December 2015, I was able to build the tunnel natively on the SRX. Since that time, Time Warner has gotten around to providing IPv6 in my area and I've tried a couple different times to get it working with no luck. Now, I've finally decided that I wasn't going to stop working on it until I got it working, and I've done just that, so it's time to tell you guys how to do it yourself.

First a few caveats... Obviously, Time Warner (now Spectrum) needs to provide IPv6 in your area and that your modem supports it. I don't remember how I found out that they finally had it here, but it was probably a fellow network engineer at TWC that told me. Second, realize that you're going to have to reboot the SRX, so you're going to lose connectivity for a bit. The reason you'll need to reboot is that we need to enable IPv6 flow mode, otherwise the SRX will just drop IPv6 traffic. Let's start with that...

Obviously, ssh into the SRX and enter config mode. Then enter the following command:

set security forwarding-options family inet6 mode flow-based

Then you'll need to reboot with "request system reboot". Once it comes back up, you're ready to move on.

Your ge-0/0/0.0 interface probably looks something this at present:

greg@SRX220H# show interfaces ge-0/0/0.0

description "Uplink to Cable Modem";

family inet {

dhcp;

}

We're going to need to change the dhcp daemon that you're using on that interface because if we were to continue on with what's coming, you'd get an error. Then we're going to add the ipv6 dhcpv6-client config to the same interface. Here's your commands:

That should be pretty self explanatory. You need to allow dhcpv6 through the firewall for all this to work, and we're going to use router-discovery to figure things out. Once you commit that, the SRX should ask TWC for an IPv6 address. Let's check to see if we got one...

Yes, the lease started about an hour before I posted this. I was so excited that I had to post immediately! Anyway, we're looking for that Server IP Address. Once we have that, let's add a static route to it.

The qualified-next-hop is going to give you a lot more control over a standard next-hop. Commit the config. Once everything is committed, it's time to test, so we'll ping Google's DNS server.

# run ping 2001:4860:4860::8888

You should get a response. IPv6 is now working! W00T! In order to get your network clients talking to the internet on IPv6, you'll have to configure them to use IPv6. As you can see up above in the dhcpv6 client binding detail, there's a "Client IP Prefix". That's the prefix assigned to you. If you do a "run show interfaces vlan.0 terse", you'll see that it now has an inet6 address that looks like 2605:a000:XXXX:XXXX:1::1/80. That's going to be your IPv6 router / gateway address. You can statically assign IP's by just counting up from that last ::1, so assign 2605:a000:XXXX:XXXX:1::2/80 to your workstation and try to ping 2001:4860:4860::8888. If you get a response, you're good to go.

So, that's the commands I had to enter to get IPv6 working on my SRX. YMMV depending on TWC's configuration in your area, but this should get you pretty damn close.